Access to CCTV footage under GDPR datascan redaction

Many organisations that use CCTV on their premises are still unsure of how GDPR applies to them.  It is important to know what you need to consider and how to stay compliant, particularly with the risk of large penalties.

CCTV Footage is Personal Data

CCTV cameras capture the images of individuals and accordingly, they process personal data.  When you can identify a person on the footage then it is personal information.  Video recording equipment can include CCTV, dash cams, action cams, camera-enabled drones, and other technologies.

It is still common practice to use CCTV, it makes sense in most business situations.  However, you must have a viable need or reason for the camera you have put up.  In most cases it comes down to providing a security measure that will monitor people coming and going in order to keep a building secure.

GDPR gives people the right to know what you are collecting about them and request access to see it.  If they ask you must comply.  When it comes to CCTV footage, here are some questions you must be able to answer:

Why are you collecting the information?

Is that CCTV camera necessary in that area?  If it is on an entrance or in an area that may be vulnerable to intruders, then it makes sense.  CCTV should not be in an area where you would expect privacy – for example a camera in a staff canteen would be unusual. You should be able to justify why you have the cameras and what the purpose is.   There should be signage that clearly explains that there is recording going on and why.  CCTV signs must also clearly show the name of the Data Controller for the CCTV system.

Who is viewing the footage?

The footage you collect should only be viewed and shared with a select few.  It’s not right to allow just anybody to view the footage, you are leaving yourself at risk if you do.   If you need to share the footage with people outside the organisation then you will need to have the footage edited.  The video will need to be redacted in order to blur out faces and other identifiable features.  If you fail to do so, you could be sharing personal information and that would be a breach of data protection.

How long are you keeping the footage?

Do not keep information for longer than is necessary.  The time frame will be up to you, use your discretion and don’t leave yourself open to scrutiny. Only keep the footage for a month or so, then if you want to keep it longer you should ensure you have a good reason.   If you are storing it for longer, you will need to ensure it is secure

Ensure you know the basics  

You should know how to handle a data subject request.  Don’t risk accidently sharing data that you should not.  Ignorance is no defence, it’s up to the business owner to ensure all the team know what they need to do.  Decreasing access to the footage will reduce the chance of an accidental breach.  You may want to consider doing a risk assessment and putting in place a policy to cover CCTV footage access, processes and requests.


If you need to provide CCTV footage as part of a data subject access request and need to have it redacted, then you should speak to the expert team at Datascan Redaction Services.  Our service is secure, professional and fast.